Different online threats and threat-appraisal process

The threat-appraisal process was examined through the threat scenarios and overall online security experiences. Perceived threat vulnerability and severity have been defined as the core functions to create motivation, and previous research has proposed that both have to take place in order to create fear (Liang 2010). In this study, while individuals perceive their vulnerability low to the threat scenarios, the severity of them is perceived high. This is in line with the existing research which suggests that individuals understand the severity of the threat, but they may not think that they are likely to be affected (Lee 2008). Similarly, it is suggested that individuals are aware of online threats, but they believe the risk to be low (Loch 1992).

Based on the existing literature, it is assumed that vulnerability alone is not creating the motivation to buy (Liang 2010). This study shows supporting, while limited, evidence that those who currently have a security product did not perceive higher vulnerabilities in comparison to those who do not have any or do not know if they have.

The only exception, which will be discussed later, is the threat of getting a virus on their computer. This poses a question that if individuals do not generally feel that they could become a victim of these threats, why have they acquired some security on their

68

devices. To continue, while the perceived vulnerability is low for different threat scenarios, individuals still feel that they in general could become victims of online crime. This suggests that instead of these studied threat scenarios, they are worried about something else or have different reasons to be motivated. However, this study focused on more common threats and topics that individuals may have heard about, limiting the opportunity to explore the more complex and less known threats.

When analysing the results on only perceived threat vulnerability, this study supports previous studies by identifying that in the context of online security, unrealistic optimism does exist (Besnard 2004; Lee 2008; Emilien, Weitkunat et al. 2017). Some of the most highlighted threat scenarios which are affected by unrealistic optimism, are around phishing and clicking malicious links. Individuals feel like they would recognise these threats online and would apply careful behaviour. However, these two threats exist, and it is unrealistic to assume that they could be completely avoided when using the internet, and especially when using e-mail and social media. At the same time, some threat scenarios are more difficult to categorise for unrealistic or realistic optimism. For example, individuals who state that they avoid unknowingly downloading harmful files. This might hold true, and thus be realistic optimism, if they never download anything, even attachments in e-mails or applications to smartphones. While this also seems unavoidable, it is possible that the person requests help from others in necessary situations. Similar threats potentially are for example online shopping and public Wi-Fi as these scenarios can be avoided, if the person never buys anything online or never uses public Wi-Fi. Another key theme rising from perceived vulnerability is the number of “I don’t know” responses. While this can be caused by the lack of overall knowledge on online security, it might tell that consumers generally do not have any idea whether these threats could happen to them.

Certainly, perceived threat vulnerability is a complex concept. As discussed, it is a combination of multiple factors, such as confident but careful behaviour, unrealistic optimism and realistic optimism. Also, individuals have a feeling of security online but also disbelief that online criminals would be interested in their, ordinary people’s, data.

Then again, across the threat scenarios, the perceived threat severity is high, and individuals feel that these threats are either quite severe or very severe. Due to the lack of opposite end of responses (not severe), it is possible that individuals feel that

69

any online threat is severe. This assumption diminishes the importance of perceived threat severity in the PMT framework, as the overall feeling is that whatever the threat, it is severe. Yet, it is necessary to recognise that how the threat scenarios are posed in this study can possibly create a mindset that anything related to online threats and these threats happening to anyone is serious. The majority of the question framings also assume that the threat would happen to the individual, making it highly personally relevant. At the same time, the majority of the research sample was identified to have some security solution, which is likely to affect the perceived severity outcome. Those who already have thought about online security products enough to be ready to acquire one, may perceive online threats more severe than those who have not chosen to install any security products. However, due to lack of data, this assumption cannot be confirmed.

Regardless of these considerations, some themes emerged from the threat scenarios.

In terms of perceived severity, the most evident theme which emerged throughout the data collections was money. This theme is potentially explained by the existing literature, which proposes that when consumers are considering online security, they analyse the trade-off between the cost of the protection and the cost of the loss (Besnard 2004). This finding shows that there are potentially some scenarios which are likely to affect the motivation to purchase, especially if the individual identifies the potential loss of money higher than the price of the security product. Generally, the cost of the potential loss is not easy to identify, which leaves the individual to define this themselves and these estimations may differ largely. While individuals were worried about online banking and payment related threats, there was an indication that the amount of money on the bank account is likely to affect the worry. This assumes, that if the savings on the bank account are low, they would be less worried about the threat. This notion ties it back to the cost of potential loss again. When looking at the theme of money from the perspective of very low perceived threat vulnerability, the findings suggest that there are multiple reasons to believe that these money-related scenarios would not happen to the individuals. Generally, individuals trust the banks and national systems to keep them safe when they browse these sites. And then again, they feel that they would recognise, and thus avoid, phishing which is related to financial matters. Also, even though individuals do online shopping, book hotels and purchase flights online, some try to avoid doing these or are very careful in these

70

actions. These findings indicate that people analyse their behaviour online before making any money-related actions in order to avoid financial losses. However, these discoveries are likely to be linked to unrealistic optimism, as all these individuals take financial actions online, and thus, are potential victims of these crimes.

Another core theme which emerged throughout this study was passwords. Previous research highlights that in fact, 40 % of Finnish people use the same password in multiple logins (Nordea 2019). While passwords are a key theme in the context of online security, it is shown that individuals do not take these matters very seriously.

There is shown to be concern around password leaks, however, the effort needed to keep passwords more secure shows to be too high. And even though there is awareness on password security, the complexity and purposes behind these crimes are not shown to be known. For example, individuals feel that they have nothing to hide in their social media or e-mail accounts. While this can be true, the assumption indicates lack of knowledge on what online criminals can do for example with personal information.

To follow the PMT framework and its threat-appraisal process, perceived threat severity and vulnerability are evaluated together. In this study, as the perceived vulnerability for the majority of the threat scenarios was even below the positive level and the individuals felt threats relatively unlikely, those with the highest perceived vulnerability would provide the best indication. These included getting a virus on a computer, becoming a victim of phishing and clicking a malicious link in e-mail or social media. Thus, in contrast to previous discussions, if both severity and vulnerability were required to be high, money-related variables would not increase the motivation to acquire an online security product. Then again, those scenarios of virus, phishing and malicious links were also highlighted throughout the research and emerged often as examples of secure online behaviour and things that people consider when browsing online. Therefore, in comparison to, for example, money-related threats, it is potential that these increase the motivation for more secure behaviour but may not increase the motivation of acquiring the product. These examples were shown to be common knowledge across the individuals with average self-efficacy and will be discussed further later.

71

As defined earlier, this study also explored directly individuals’ motivations to acquire an online security product, based on the same threat scenarios as for perceived vulnerability and severity. These findings test PMT and the assumption that both perceived vulnerability and severity are needed in order to actuate the motivation creation process. The identified motivators were very much in line with the perceived threat severity, indicating that in fact, severity might affect the motivation to purchase more than perceived threat vulnerability. If motivations were analysed through this approach, the four money-related scenarios are considered the most motivating threats. While this discussion provides interesting insight to the field, it is necessary to recognise that the question framing assumed that the threat had already happened to the individual. Therefore, the question relies not only on the acknowledgement of these threats, but on the actual exposure to these threats.

In addition to individual threats, it is worth noting that when exploring the motivations outside the threat scenarios, overall security and safety online become a key aspect.

This challenges, or provides another layer on, the individual threats, as individuals experience the threats as an overall concept. If following this finding through the threat-appraisal process in PMT, it is potential that individuals feel vulnerable to the overall threat and perceive the overall threat severe. To understand the difference between different threats and the overall threat, further research is required.